Shorewall users - Jan 2005 - Questions: place for doco, and routestopped during ''shorewall restart''

Hi folks,

A while back we had some discussions about integrating heartbeat and
shorewall.  Thanks to your help and the excellent state of Linux
failover clustering, i''ve managed to install my high-availability
firewall.  I know there''s already a howto for it at
http://www.xenos.net/library/hafirewall.html, but i thought i would
document my setup for others, since it''s slightly different to that
documented in the aforementioned URL.  Now that the Shorewall wiki is
no more, where would be the best place do put it?  I''m happy to host
it on my web site and just send a link to the mailing list when it''s
done, but it''s not a very high-performance site (128 Kbps uplink), so
i''m wondering if anyone might be interested in putting it in a more
accessible location.

Also, i have a question about how shorewall handles traffic during a
''shorewall restart'': i''ve found that whenever i do
this on one of my
clustered firewalls, i get a huge number of errors in syslog relating
to heartbeat timeouts.  I''ve got the other cluster node in the
routestopped file on both nodes, and ADMINISABSENTMINDED=Yes in
shorewall.conf, but it still gives me errors like these:

Jan  7 10:10:13 fwA heartbeat[13997]: ERROR: Error sending packet:
Operation not permitted
Jan  7 10:10:13 fwA heartbeat[13997]: ERROR: write failure on ping
192.168.0.43.: Operation not permitted
Jan  7 10:10:14 fwA heartbeat[13991]: ERROR: Unable to send [-1] ucast
packet: Operation not permitted
Jan  7 10:10:14 fwA heartbeat[13991]: ERROR: write failure on ucast
eth0.: Operation not permitted

I''m using both unicast heartbeat packets and psuedo-cluster nodes via
ping, hence the two slightly different messages.

Thanks,
Paul Gear, Manager IT Operations, Redlands College
38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
-- 
The information contained in this message is copyright by Redlands
College.  Any use for direct sales or marketing purposes is expressly
forbidden.  This message does not represent the views of Redlands
College.

Paul Gear wrote:
> I''m happy to host
> it on my web site and just send a link to the mailing list when
it''s
> done, but it''s not a very high-performance site (128 Kbps uplink),
so
> i''m wondering if anyone might be interested in putting it in a
more
> accessible location.
Send it to me and I''ll place it in the ''contrib''
directory.
> 
> Also, i have a question about how shorewall handles traffic during a
> ''shorewall restart'': i''ve found that whenever i
do this on one of my
> clustered firewalls, i get a huge number of errors in syslog relating
> to heartbeat timeouts.  I''ve got the other cluster node in the
> routestopped file on both nodes, and ADMINISABSENTMINDED=Yes in
> shorewall.conf, but it still gives me errors like these:
Neither /etc/shorewall/routestopped nor ADMINISABSENTMINDED have any
effect on restart. The code for ''restart'' and
''start'' is identical with
the exception of the messages generated. That is because
''start'' cannot
assume anything about the state of Netfilter and neither can
''restart''.
So, during both ''start'' and ''restart'':

a) RELATED and ESTABLISHED state packets are accepted.
b) DNS requests are accepted.
c) Everything else is

Which means that any sort of ''ping'' where each request/reply
pair goes
through the complete connection cycle will be dropped.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>
> So, during both ''start'' and ''restart'':
> 
> a) RELATED and ESTABLISHED state packets are accepted.
> b) DNS requests are accepted.
> c) Everything else is
... dropped.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Paul Gear wrote:
> 
>>I''m happy to host
>>it on my web site and just send a link to the mailing list when
it''s
>>done, but it''s not a very high-performance site (128 Kbps
uplink), so
>>i''m wondering if anyone might be interested in putting it in a
more
>>accessible location.
> 
> Send it to me and I''ll place it in the ''contrib''
directory.
Cool - will let you know when it''s ready.
> ...
> Neither /etc/shorewall/routestopped nor ADMINISABSENTMINDED have any
> effect on restart. The code for ''restart'' and
''start'' is identical with
> the exception of the messages generated. That is because
''start'' cannot
> assume anything about the state of Netfilter and neither can
''restart''.
> So, during both ''start'' and ''restart'':
> 
> a) RELATED and ESTABLISHED state packets are accepted.
> b) DNS requests are accepted.
> c) Everything else is
> 
> Which means that any sort of ''ping'' where each
request/reply pair goes
> through the complete connection cycle will be dropped.
Hmmm... Might have to look into some sort of workaround for that.
I''ll try a few things and send you a patch if i come up with something
reasonably generic...

-- 
Paul Gear, Manager IT Operations, Redlands College
38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
-- 
The information contained in this message is copyright by Redlands
College.  Any use for direct sales or marketing purposes is expressly
forbidden.  This message does not represent the views of Redlands
College.

Paul Gear wrote:
> Tom Eastep wrote:
>>
>>Which means that any sort of ''ping'' where each
request/reply pair goes
>>through the complete connection cycle will be dropped.
> 
> 
> Hmmm... Might have to look into some sort of workaround for that.
> I''ll try a few things and send you a patch if i come up with
something
> reasonably generic...
> 
Ok -- I probably won''t merge it into my tree until after 2.2.0 is out.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Paul Gear wrote:
> 
>>Tom Eastep wrote:
>>
>>>Which means that any sort of ''ping'' where each
request/reply pair goes
>>>through the complete connection cycle will be dropped.
>>
>>
>>Hmmm... Might have to look into some sort of workaround for that.
>>I''ll try a few things and send you a patch if i come up with
something
>>reasonably generic...
>>
> 
> 
> Ok -- I probably won''t merge it into my tree until after 2.2.0 is
out.
No worries - i''ll try to send you patches against the 2.2.0 release
code.  My first idea is to add some logic which allows outgoing
traffic from the firewall during start/restart if a certain variable
is set.  Would ADMINISABSENTMINDED make sense for this, or would you
prefer a new variable to be added?

-- 
Paul Gear, Manager IT Operations, Redlands College
38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
-- 
The information contained in this message is copyright by Redlands
College.  Any use for direct sales or marketing purposes is expressly
forbidden.  This message does not represent the views of Redlands
College.

Paul Gear wrote:
> Tom Eastep wrote:
>>
>>Ok -- I probably won''t merge it into my tree until after 2.2.0
is out.
> 
> 
> No worries - i''ll try to send you patches against the 2.2.0
release
> code.  My first idea is to add some logic which allows outgoing
> traffic from the firewall during start/restart if a certain variable
> is set.  Would ADMINISABSENTMINDED make sense for this, or would you
> prefer a new variable to be added?
> 
Let''s add a new one.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key